Security professionals are urging Android users to update to the latest version of the mobile operating system (OS) after Google decided to halt security updates for version 4.3 and earlier.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The decision leaves around 60% of Android users without security support because of the policy shift, which was prompted by vulnerabilities discovered by researchers in the WebView component of Android 4.3.

But millions of users may not be able to update to the latest version of Android, warned Tod Beardsley, a security researcher at Rapid7 who was among those who reported the WebView vulnerabilities to Google.

WebView, the core component used to render web pages on Android devices, was replaced with a Chromium-based version in Android 4.4.

Instead of issuing a security update for the version of WebView used in Android 4.3 and earlier, Google has decided to withdraw support for all versions of the OS released before Android 4.4.

According to Beardsley, the Android security team told him it would “welcome” a patch from the researchers if they produced one, but would not be making one itself.

“In terms of solid numbers, it would appear that over 930 million Android phones are now out of official Google security patch support,” he wrote in a blog post.

Common sense approach to security

Chris Boyd, malware intelligence analyst at Malwarebytes, said despite the potential risk of exploits and drive-by attacks, the most likely method of attack is through fake or rogue applications.

“If they avoid sites offering free versions of popular apps and games, and always read the reviews on the Google Play store, then most people will be as safe as they can be, given this new approach to updates,” he said.

Aside from being careful about installing rogue or fake apps, the most obvious way to ensure Android users remain safe is to update to the latest version of the operating system, but Beardsley pointed out that this option is not open to everyone.

He said that while Google’s decision may appear reasonable, considering it is fairly unusual to support software products that are two or more version behind, millions of users are stuck with legacy versions.

Beardsley added that users exposed to pre-Chromium WebView vulnerabilities are those users who are most likely to be unable to update to the latest version of Android to get security patches.

“The latest Google Nexus retails for about $660, while the first hit for an ‘Android Phone’ on Amazon retails for under $70.

“This is a nearly tenfold price difference, which implies two very different user bases – one market that doesn't mind dropping a few hundred dollars on a phone, and one which will not or cannot spend much more than $100.

“Taken together, the two-thirds majority installed base of now-unsupported devices and the practical inability of that base to upgrade by replacing hardware means any new bug discovered in ‘legacy Android’ is going to last as a mass-market exploit vector for a long, long time,” he wrote.

Beardsley said although it is possible for handset manufacturers, service providers, retailers, or even enthusiastic users to come up with their own patches, it is impossible to say how often this will happen or how effective these non-Google-sourced patches will be.

For this reason, he appealed to Google’s security team to reconsider its decision.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy